Malware Analysis Report

2025-01-03 07:45

Sample ID 230426-lg2tnagd92
Target SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
SHA256 1e712ef0a37d9e8d2f6ef512da2438ef05e073cde9ae6677858b9ebbd1c23b2b
Tags
blustealer collection stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e712ef0a37d9e8d2f6ef512da2438ef05e073cde9ae6677858b9ebbd1c23b2b

Threat Level: Known bad

The file SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe was found to be: Known bad.

Malicious Activity Summary

blustealer collection stealer

BluStealer

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-26 09:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-26 09:31

Reported

2023-04-26 09:33

Platform

win7-20230220-en

Max time kernel

65s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"

Signatures

BluStealer

stealer blustealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1324 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1324 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1324 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1324 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1324 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1324 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1324 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1324 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1324 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Network

N/A

Files

memory/1324-54-0x00000000010F0000-0x000000000120A000-memory.dmp

memory/1324-55-0x0000000004A20000-0x0000000004A60000-memory.dmp

memory/1324-56-0x00000000005A0000-0x00000000005B2000-memory.dmp

memory/1324-57-0x0000000004A20000-0x0000000004A60000-memory.dmp

memory/1324-58-0x0000000000A40000-0x0000000000A4C000-memory.dmp

memory/1324-59-0x0000000005930000-0x00000000059DC000-memory.dmp

memory/1324-60-0x00000000054F0000-0x0000000005566000-memory.dmp

memory/520-61-0x0000000000400000-0x000000000046E000-memory.dmp

memory/520-62-0x0000000000400000-0x000000000046E000-memory.dmp

memory/520-63-0x0000000000400000-0x000000000046E000-memory.dmp

memory/520-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/520-66-0x0000000000400000-0x000000000046E000-memory.dmp

memory/520-68-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2040-71-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/2040-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/520-74-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2040-73-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/2040-76-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/2040-78-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/2040-79-0x0000000000EC0000-0x0000000000F7C000-memory.dmp

memory/520-80-0x0000000000400000-0x000000000046E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-26 09:31

Reported

2023-04-26 09:33

Platform

win10v2004-20230220-en

Max time kernel

143s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"

Signatures

BluStealer

stealer blustealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1476 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1476 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1476 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1476 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1476 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1476 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1476 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1476 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1476 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 1476 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
PID 3888 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3888 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3888 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3888 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3888 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.89.179.10:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

memory/1476-133-0x0000000000510000-0x000000000062A000-memory.dmp

memory/1476-134-0x00000000055A0000-0x0000000005B44000-memory.dmp

memory/1476-135-0x0000000004FF0000-0x0000000005082000-memory.dmp

memory/1476-136-0x00000000054D0000-0x00000000054DA000-memory.dmp

memory/1476-137-0x0000000004F90000-0x0000000004FA0000-memory.dmp

memory/1476-138-0x0000000004F90000-0x0000000004FA0000-memory.dmp

memory/1476-139-0x0000000007230000-0x00000000072CC000-memory.dmp

memory/3888-140-0x0000000000400000-0x000000000046E000-memory.dmp

memory/3888-143-0x0000000000400000-0x000000000046E000-memory.dmp

memory/3888-146-0x0000000000400000-0x000000000046E000-memory.dmp

memory/3776-147-0x0000000000580000-0x00000000005E6000-memory.dmp

memory/3888-149-0x0000000000400000-0x000000000046E000-memory.dmp